Multi-Tenant Access Authority Failure Through Administrative Account Bypassing Tenant Isolation With Credentials Exposed in Unprotected System at Verkada

Verkada sold cloud-managed security cameras to enterprise customers. The platform's value proposition was centralized management — customers could access, configure, and monitor their cameras through Verkada's cloud interface rather than maintaining on-premises video management infrastructure. The platform used a multi-tenant architecture in which each customer's cameras, video feeds, and configurations were logically separated from other customers' data. Customer accounts were scoped to their own tenant. The access control model ensured that a hospital could not see a school's cameras, a prison could not see a factory's feeds, and each organization's physical security data remained within its own tenant boundary.

Verkada also maintained internal administrative accounts — "super admin" credentials — that could access cameras and feeds across all customer tenants. These accounts existed as operational tools for Verkada's support and engineering staff, enabling them to troubleshoot customer issues, perform maintenance, and access camera systems when customers requested assistance. The super admin account was not subject to the tenant isolation that governed customer accounts — its purpose was to transcend that isolation. The credentials for one such account were stored on an internal Jenkins continuous integration server that was accessible from the internet without authentication.

In March 2021, a hacker collective operating under the name APT-69420, led by Tillie Kottmann, discovered the exposed Jenkins server and obtained the super admin credentials. Using the account, they accessed approximately 150,000 cameras across Verkada's entire customer base. The hackers viewed live feeds and archived video from hospitals — including patient rooms and psychiatric facilities — jails and prisons, police department interview rooms, schools, Tesla manufacturing floors, and Cloudflare offices. They published screenshots and video samples demonstrating the breadth of access, then disclosed the breach publicly.

The access was not surgically targeted. The super admin account provided simultaneous access to every customer's cameras — the same access a Verkada support engineer would have. The hackers did not need to compromise each customer individually, exploit a technical vulnerability in the camera firmware, or penetrate any customer's network. A single set of credentials, found on an unprotected server, bypassed the entire multi-tenant access control architecture. The compromise of one account was the compromise of all customers.

The multi-tenant access control existed and functioned as designed for customer accounts. Customer A could not access Customer B's cameras. The access boundaries were real and enforced. But the super admin account was designed to operate outside those boundaries — and the security of that account was not proportional to the access it provided. The credentials were stored on an internal server that was accessible from the internet without authentication. The account that could access every camera in the system was protected by the security of an unprotected Jenkins server.

The structural failure was the designed exception. The access control architecture separated customers from each other. The administrative account existed specifically to bypass that separation. When that account was compromised, the compromise was total — not because the access controls failed, but because the administrative account was designed to transcend them. The access controls worked exactly as designed for 99.9% of accounts. The one account designed to bypass them bypassed them for everyone simultaneously. The tenant isolation existed. The designed exception to tenant isolation converted a single credential compromise into access to 150,000 cameras across every customer. The access control architecture was as strong as the protection on the account designed to circumvent it.

Verkada disabled the compromised accounts, engaged incident response, and notified affected customers. The FTC subsequently fined Verkada $2.95 million for security failures and deceptive practices, finding that the company had failed to implement reasonable security measures despite representing its platform as secure. Kottmann was indicted by the U.S. Department of Justice on separate charges related to other intrusions. The case became a reference for the argument that cloud platforms with administrative access across customer tenants must treat the security of those administrative credentials as equivalent to the security of the entire customer base — because architecturally, it is.